Pass the hash? Severity of Active Directory security flaw questioned

A vendor has publically disclosed an Active
Directory security flaw that puts a twist on typical "pass the hash" attacks, potentially
leaving the numerous enterprises that rely on Microsoft's market-dominating

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

directory service
vulnerable. However, Microsoft and others have questioned the validity and severity of the
vulnerability.

According to details provided in a blog post by Aorato, an Israel-based Active
Directory security vendor, the proof-of-concept attack is the result of Active Directory's
single sign-on authentication mishandling of two of its underlying protocols: NT LAN Manager
(NTLM), the older default authentication protocol in Windows that is still available to all users
by default, and Kerberos,
the preferred authentication protocol that has been in place since the release of Windows 2000.

Pass the hash is a long-known NTLM-based attack technique. An alternative to more time-consuming
methods like password guessing or cracking, attackers have long made use of it to gain unauthorized
access to victims' machines.

Aorato's proof-of-concept attack relies on typical pass the hash measures, with an attacker
first needing to run a penetration testing tool -- like Mimikatz or Windows Credential Editor -- to
steal an NTLM hash.

Once computed, an NTLM hash essentially functions as a replacement for a user's passwords,
whereas the newer Kerberos protocol works by exchanging a password for a ticket. Kerberos relies on
the weak RC4
encryption algorithm though, and according to Aorato -- as well as Microsoft's own
documentation -- RC4 is able to use an NTLM as its key.

Whereas a stolen NTLM hash could typically only be used by attackers to log on to a victim's
machine and others on a network with the same permissions, Tal Be'ery, vice president of research
for Aorato, said attackers could use this new method to downgrade the authentication level of
Kerberos, enabling them to masquerade as the user to Active Directory with the NTLM hash.

An attacker could then change the victim's password, said Be'ery, and consequently access any
enterprise services that utilize Active Directory -- all without setting off any alarms, as such
activity would not appear abnormal in a company's logs.

Be'ery conceded that users would be unable to use their original credentials once an attacker
had changed them, thus leaving only a certain window of opportunity to take advantage of the
access, but that window may be more than enough to do significant damage to an organization.

"A vulnerability in this infrastructure is highly sensitive," Be'ery said. "[NTLM hash theft] is
already implemented in many attackers' tools. Therefore, it would be very easy for attackers to
implement this new variant."

AD pass the hash flaw disputed

Though Aorato touted its research as a new discovery, a Microsoft spokesperson disputed those
claims, noting that the flaw -- referred to as a "limitation" -- is well-known with the security
industry.

In a press statement, Microsoft provided information on methods to block attackers from changing
passwords in such a fashion, including deploying smart cards, disabling Kerberos RC4 support for
all domain controllers, or placing Windows Server 2012 R2 domains and users into a new
protected-users security group -- a move that Be'ery said would certainly clamp down on security,
but with the tradeoff that users might not be able to log on to all their usual systems.

Sander Berkouwer, Microsoft technology lead with Netherlands-based OGD ict-diensten and a Microsoft
MVP, described Aorato's finding as "clever," but questioned whether the research revealed
information the security industry had never seen before.

For instance, Berkouwer said NTLM
security issues, including the usual pass the hash technique at the core of Aorato's proof of
concept, have been an accepted reality for many years, which is why organizations have slowly been
trying to eliminate the aged protocol from their environments -- though he noted Kerberos has faced
similar problems.

Microsoft has also long been aware of attempts by attackers to force clients to utilize weaker
authentication protocols, according to Berkouwer, and in fact, the Redmond, Washington-based
software giant has taken steps to address those problems, though not to the benefit of all
users.

"It is something that has been solved by Microsoft in operating systems that are not
particularly favorable with organizations," namely Windows 8, Berkouwer said. "The problem is, you
need to upgrade everything: The client needs to be at least Windows 8, and your domain controller
[upgraded] to Windows Server 2012."

Be'ery said he understands why Microsoft responded in a defensive manner.

If the company were to admit that Aorato's findings constituted a legitimate vulnerability, he
noted, it would be forced into fixing a difficult problem that goes as deep as the core of the
Kerberos protocol's design.

Be'ery said the official designation of the flaw does not matter as long as Microsoft recognizes
the problem and provides a fix. Microsoft chose not to do that when Aorato privately disclosed the
issue to the company though, according to Be'ery, which is why the security vendor chose to go
public.

"Microsoft's view is that this is in fact the consequence of the design of the Kerberos
protocol," said Be'ery, "but we're thinking that it doesn't matter if it's an implementation error
or by-design error."

Be'ery said the company is ready to accept the criticism it may receive from some who believe
the disclosure will ultimately do more harm than good.

"Should we disclose something that might help attackers? The dilemma is a valid one," Be'ery
added. "If a vendor is prepared to fix it, you don't publish anything before they fix it, but if
they don't fix it, you are helping the bad guys and not the good guys."

SearchMidmarketSecurity.com’s tutorials offer IT professionals in-depth lessons and technical advice on the hottest topics in the midmarket IT security industry. Through our tutorials we seek to provide site members with the foundational knowledge needed to deal with the increasingly challenging job of keeping their organizations secure.